bin/124724: netstat coredump on -stable

Jaakko Heinonen jh at saunalahti.fi
Mon Jun 23 19:00:12 UTC 2008 

The following reply was made to PR bin/124724; it has been noted by GNATS.

From: Jaakko Heinonen <jh at saunalahti.fi>
To: Garrett Cooper <yanefbsd at gmail.com>
Cc: bug-followup at FreeBSD.org, heliar at at.nsu.ru
Subject: Re: bin/124724: netstat coredump on -stable
Date: Mon, 23 Jun 2008 21:58:56 +0300

 Hi,
 
 On 2008-06-19, Garrett Cooper wrote:
 >  > Same thing occurs on -CURRENT (backtrace):
 >  >
 >  > (gdb) bt
 >  > #0  0x280960ff in kvm_nlist () from /lib/libkvm.so.4
 >  > #1  0x2809b25e in memstat_kvm_malloc () from /usr/lib/libmemstat.so.2
 >  > #2  0x2809a0fa in memstat_kvm_all () from /usr/lib/libmemstat.so.2
 >  > #3  0x08050aa8 in mbpr (kvmd=0x0, mbaddr=0) at mbuf.c:103
 >  > #4  0x080500eb in main (argc=1, argv=0xbfbfec40) at main.c:510
 >  
 >  After doing some reading it appears that netstat is passing in an
 >  invalid value to memstat_kvm_all, which subsequently calls
 >  memstat_kvm_malloc for mbuf.c (kvmd = NULL). Calling malloc with NULL
 >  for a pointer address of course is invalid coding.
 
 This happens when memf == NULL and nlistf != NULL (main.c). This
 situation (where memf == NULL and nlistf != NULL) doesn't make sense
 because kvm_openfiles(3) doesn't make use of nlistf value if memf is
 null (kvm_openfiles() call at line 674 in r179949). If both mentioned
 variables are NULL a live mode which copes with NULL values is enabled.
 
 The bug is also reproducible with following command line:
 
 $ netstat -m -N foo
 Segmentation fault: 11
 
 Below is a fix that makes it to exit with an error message if memf ==
 NULL and nlistf != NULL.
 
 After applying the fix:
 
 $ netstat -m foo
 netstat: no core file specified
 
 -- 
 Jaakko
 
 Index: usr.bin/netstat/main.c
 ===================================================================
 --- usr.bin/netstat/main.c	(revision 179949)
 +++ usr.bin/netstat/main.c	(working copy)
 @@ -492,7 +492,12 @@ main(int argc, char *argv[])
  	 * Discard setgid privileges if not the running kernel so that bad
  	 * guys can't print interesting stuff from kernel memory.
  	 */
 -	live = (nlistf == NULL && memf == NULL);
 +	if (memf == NULL) {
 +		if (nlistf != NULL)
 +			errx(1, "no core file specified");
 +		live = 1;
 +	}
 +
  	if (!live)
  		setgid(getgid());

More information about the freebsd-bugs mailing list